[00:02.660 --> 00:05.140]  Hi, DEF CON. I'm Shai Nechman.
[00:05.280 --> 00:07.740]  Today, I'll present InfectionMonkey,
[00:07.740 --> 00:10.580]  an open-source breach and attack simulation tool.
[00:10.580 --> 00:12.880]  We'll cover what the monkey is,
[00:12.880 --> 00:15.480]  how you can use it to improve your network defenses,
[00:15.480 --> 00:17.140]  or step up your testing,
[00:17.140 --> 00:19.140]  and we'll go through a deep demo.
[00:19.180 --> 00:22.380]  But first, let's dive into the breach.
[00:22.380 --> 00:24.220]  We're going to see a simulation of a breach
[00:24.800 --> 00:28.820]  that we saw in one of our real customers' networks.
[00:29.720 --> 00:33.640]  As always, a server was breached.
[00:33.640 --> 00:35.320]  That's how it starts.
[00:35.320 --> 00:37.340]  Once inside the network,
[00:37.340 --> 00:39.360]  the attackers were able to move laterally
[00:39.360 --> 00:42.940]  using a vulnerable out-of-date Hadoop service
[00:42.940 --> 00:47.920]  on a Linux server to jump to that Linux server.
[00:48.260 --> 00:51.100]  That's the red line you're seeing on the map here.
[00:51.680 --> 00:54.120]  And the attackers exfiliated information
[00:54.540 --> 00:57.200]  back to their original breach server
[00:57.200 --> 00:59.260]  through an uncommon port.
[00:59.260 --> 01:02.100]  That's the gray line on the map.
[01:04.620 --> 01:06.960]  After the original propagation,
[01:06.960 --> 01:10.380]  the attackers were able to scan and find even more servers,
[01:10.380 --> 01:12.500]  both Windows and Linux machines.
[01:12.500 --> 01:14.600]  They stole credentials, breached more servers
[01:14.600 --> 01:17.000]  using other protocols like SSH.
[01:17.000 --> 01:19.940]  They even set up a tunneling station there in the middle.
[01:20.140 --> 01:21.980]  That's the blue line.
[01:22.380 --> 01:26.060]  Into a different sub-network entirely.
[01:26.960 --> 01:30.040]  And started hopping, started stealing,
[01:30.040 --> 01:32.800]  and basically took over the network.
[01:32.800 --> 01:34.760]  And my question to you is,
[01:34.760 --> 01:37.600]  how would your organization respond?
[01:37.720 --> 01:39.680]  Now, this being DEF CON, obviously,
[01:39.680 --> 01:41.220]  I don't only mean your organization.
[01:41.220 --> 01:45.120]  I also mean the organization that you might be testing right now.
[01:46.100 --> 01:49.660]  How would your organization respond to specific attack scenarios
[01:49.660 --> 01:52.260]  like someone stealing credentials,
[01:52.260 --> 01:55.120]  someone compromising a web server,
[01:55.240 --> 01:57.760]  a malicious device logging into the network,
[01:57.760 --> 02:01.920]  some blast radius attacks like pasty hash or connectivity checks?
[02:01.920 --> 02:04.380]  What would the security do?
[02:04.380 --> 02:07.380]  Would alerts be thrown? Would the SOC respond?
[02:07.380 --> 02:09.980]  Would you know the attacker's visibility?
[02:11.880 --> 02:14.220]  Let's take a look at a case study.
[02:14.220 --> 02:17.580]  We have an environment, a large development network,
[02:17.580 --> 02:22.640]  with a mix of Linux and Windows servers.
[02:22.640 --> 02:26.440]  Multiple security products deployed on-site,
[02:26.440 --> 02:29.720]  McAfee Move, an IDS on the network,
[02:29.720 --> 02:32.460]  and the firewall between different segments.
[02:32.460 --> 02:36.340]  And the scope of this test, the test scenarios,
[02:36.340 --> 02:39.740]  were malicious devices logging into the network
[02:39.740 --> 02:42.880]  and stealing some credentials.
[02:43.420 --> 02:44.980]  What happened?
[02:45.740 --> 02:48.020]  Well, what you would expect.
[02:48.020 --> 02:50.760]  There were no security alerts,
[02:50.760 --> 02:54.740]  even though we had more than 5,000 different attack attempts,
[02:54.740 --> 02:58.120]  and there were no alerts on brute force attempts as well.
[02:58.120 --> 03:00.780]  The antivirus solution was completely irrelevant
[03:00.780 --> 03:04.080]  to stop the lateral movement inside the network.
[03:04.340 --> 03:09.700]  The firewalls, while deployed, did not stop the cross-segment traffic.
[03:09.720 --> 03:12.360]  And doing some credentials analysis,
[03:12.360 --> 03:15.520]  we saw that a single old password that we stole
[03:15.520 --> 03:18.820]  allowed login to all the Linux servers,
[03:18.820 --> 03:23.940]  and some Windows machines had the domain admin passwords cached on them,
[03:23.940 --> 03:26.540]  therefore were usable for propagation.
[03:26.920 --> 03:30.460]  This all brings me to the point of our talk today.
[03:32.020 --> 03:34.520]  What is InfectionMonkey?
[03:34.740 --> 03:39.400]  So let's try to answer that by looking at a few key ideas.
[03:40.100 --> 03:44.080]  The monkey is a breach and attack simulation tool.
[03:44.080 --> 03:46.260]  It simulates an internal attacker,
[03:46.260 --> 03:49.080]  which tests whether your security systems work,
[03:49.080 --> 03:52.420]  whether they detect, they alert, they actually block something.
[03:52.880 --> 03:58.220]  The monkey helps you make sure that changes don't open up new holes.
[03:58.780 --> 04:01.880]  It's automated, semi-automated.
[04:01.880 --> 04:04.420]  You have to run it manually the first time,
[04:04.420 --> 04:08.440]  and it's exhaustive as much as it can be.
[04:08.760 --> 04:13.440]  The second key idea to take a look at, it's open source and free.
[04:13.520 --> 04:15.540]  This is a community project.
[04:15.540 --> 04:19.800]  It's managed by GuardiCore Labs, but it is completely free, completely open source.
[04:20.180 --> 04:24.760]  We have over 3,200 stars on GitHub,
[04:24.960 --> 04:29.400]  a big active user base, hundreds of downloads a week.
[04:29.420 --> 04:34.160]  This is by the community, for the community.
[04:34.820 --> 04:41.180]  The third key idea to take a look at is the fact that the monkey is safe for production networks.
[04:42.160 --> 04:48.820]  The monkey is being executed right now by large organizations in various verticals,
[04:48.820 --> 04:58.550]  big telecom companies, education, school counties, universities, healthcare, in their production network.
[04:58.900 --> 05:06.900]  The monkey is built to run on these infrastructures, on these critical infrastructures, and not crash them.
[05:06.900 --> 05:13.980]  That puts some limitations on what the monkey can do while attempting to breach, while attempting to attack.
[05:13.980 --> 05:23.200]  But safety is the first priority, since we do want people to run this in production networks and not lose their jobs.
[05:23.440 --> 05:25.200]  And it's useful for you.
[05:25.200 --> 05:31.740]  If you're a network engineer, a security engineer, a red teamer, a blue teamer, a purple teamer, a CISO,
[05:31.740 --> 05:35.020]  the monkey could be useful for you.
[05:35.020 --> 05:37.140]  And stick around to figure out why.
[05:37.940 --> 05:44.040]  Since this is DEF CON, let's try to explain what is the infection monkey by comparing it to existing solutions.
[05:44.080 --> 05:51.120]  You're all very familiar with classic manual penetration testing and with vulnerability scanners.
[05:51.440 --> 05:56.060]  Let's see how does the monkey compare to these solutions that you know.
[05:56.740 --> 05:59.260]  So here's a data center we visualized.
[05:59.260 --> 06:02.280]  Each node in the graph represents a machine.
[06:02.280 --> 06:10.100]  Each link in the graph, each edge represents a possible route between two machines.
[06:10.980 --> 06:15.560]  If we're talking about vulnerability scanners, and we plop one down here.
[06:16.640 --> 06:25.420]  And when we test the network using this vulnerability scanner, we place it in one or more places across the network.
[06:25.420 --> 06:33.560]  And as you can see, it sort of checks every single route to that machine.
[06:33.880 --> 06:44.260]  If we place enough scanners properly, we can probably test most parts of our network for remote vulnerabilities on an ongoing basis.
[06:44.820 --> 06:48.860]  But it won't be able to simulate an attacker's move.
[06:49.120 --> 06:53.160]  So talking about coverage depends on how you deploy it.
[06:53.160 --> 06:58.680]  Frequency, you can do it whenever you want, since this is an automated tool.
[06:58.680 --> 07:02.320]  But it does not simulate an attack at all.
[07:02.340 --> 07:07.740]  Therefore, sometimes the results of vulnerability scanners are exaggerated.
[07:07.740 --> 07:12.620]  It's huge lists of CVEs that you can't deal with.
[07:12.620 --> 07:16.380]  And they don't actually simulate what happens.
[07:16.380 --> 07:23.020]  So they might be closing routes, which are completely irrelevant for attackers that attackers will never use.
[07:23.460 --> 07:27.580]  On the other end of the spectrum, you have penetration testing.
[07:27.580 --> 07:33.520]  Here, we place the penetration tester on one side of the network, the red team.
[07:33.540 --> 07:38.640]  And we give them a goal, some valuable assets.
[07:39.200 --> 07:43.320]  And as you can see, some machines are exploited, some are not.
[07:43.440 --> 07:46.200]  Eventually, the red team reaches their goal.
[07:46.380 --> 07:49.360]  This is another popular method.
[07:49.360 --> 07:51.700]  The pen tester can start from the internet.
[07:51.920 --> 07:55.680]  Sometimes that includes phishing attempts or whatever.
[07:55.920 --> 08:02.460]  But in the end, he gets to the network and simulates an APT.
[08:02.800 --> 08:12.360]  On the one hand, you get yourself a professional in-depth testing, especially if the penetration tester is good.
[08:12.360 --> 08:16.600]  Which sort of unveiled a weak path here, the red path.
[08:18.460 --> 08:23.680]  And sort of discovered some weak points across the data center.
[08:23.680 --> 08:25.540]  So the testing is in-depth.
[08:26.260 --> 08:29.600]  But what if there are more routes?
[08:29.600 --> 08:34.340]  Obviously, the human tester cannot cover all possible paths.
[08:34.340 --> 08:36.860]  So the coverage might be low.
[08:36.860 --> 08:47.420]  What happens if a few days after this penetration tester stops his or her work and leave?
[08:47.440 --> 08:54.110]  The highly dynamic data center sets up a ton of new resources and deploys three new apps.
[08:54.940 --> 09:00.190]  How would these results help those network changes?
[09:00.440 --> 09:05.600]  After all, penetration testers don't work on a daily basis. That just won't work.
[09:05.600 --> 09:13.880]  So the coverage is low, the frequency is low, but it does simulate an attacker, so it does do in-depth testing.
[09:14.340 --> 09:19.280]  The monkey tries to take the best of both worlds.
[09:19.460 --> 09:24.360]  It's automatic, so the coverage and frequency are high.
[09:24.480 --> 09:32.300]  It's in-depth, since it simulates an attacker and it actually propagates across the network.
[09:32.300 --> 09:36.000]  And the best of all, it's free, since it's open source.
[09:36.920 --> 09:41.420]  Let's take a quick look at the main features of InfectionMonkey.
[09:42.050 --> 09:46.960]  The monkey is highly configurable, so it can fit different use cases.
[09:47.200 --> 09:51.120]  It has various attack techniques.
[09:51.560 --> 09:56.860]  It uses brute forcing, it steals credentials and passes the hash around.
[09:56.860 --> 09:59.660]  It has wormable CVEs that are optional.
[09:59.660 --> 10:04.140]  If you're worried about running CVEs in your network, you can turn these off.
[10:04.320 --> 10:06.820]  Same for credential brute forcing, by the way.
[10:07.060 --> 10:11.760]  So you get quite a lot of attack techniques built into the tool.
[10:13.580 --> 10:17.480]  Actionable reporting. This is really the meat of the matter.
[10:17.480 --> 10:21.920]  You're going to see the reports later on in the demo, so we won't delay on this now.
[10:21.920 --> 10:24.600]  But the monkey has three reports.
[10:24.600 --> 10:32.680]  The first one being a security report aimed towards whomever wants the details.
[10:32.700 --> 10:36.280]  This is the most actionable report out of all of them.
[10:36.280 --> 10:37.800]  A Zero Trust Report.
[10:37.800 --> 10:44.040]  If the organization you're testing or your organization is using the Zero Trust lingo,
[10:44.040 --> 10:47.020]  the Zero Trust Extended Framework by Forrester,
[10:47.020 --> 10:55.280]  this is the first-of-its-kind report card on where are you in your Zero Trust journey.
[10:57.020 --> 11:00.000]  And lastly, the MITRE ATT&CK Report.
[11:00.000 --> 11:03.160]  If you're familiar with the MITRE ATT&CK Framework,
[11:03.940 --> 11:10.480]  the monkey maps its actions to the techniques that this framework offers,
[11:10.480 --> 11:15.740]  and you get actionable mitigations on each technique that the monkey successfully used.
[11:15.740 --> 11:20.320]  We're going to take a deeper look into those reports later on in the demo.
[11:21.140 --> 11:23.260]  And lastly, it's easily deployable.
[11:23.260 --> 11:26.980]  We didn't want some expert, super-hard tool.
[11:27.000 --> 11:31.660]  This is supposed to democratize penetration testing and be easy for the community.
[11:31.800 --> 11:34.460]  We have one-click options for cloud environments,
[11:34.460 --> 11:38.440]  so if you're testing a cloud environment, just hop onto the Marketplace. It's free.
[11:38.520 --> 11:44.020]  If you're not using a cloud environment, there is a Windows Installer, a Linux Installer,
[11:44.120 --> 11:50.980]  a Debian package, a Docker machine, a Docker image ready with the Infection Monkey installed,
[11:50.980 --> 11:55.780]  and a VMware OVA file.
[11:55.820 --> 12:00.340]  So no matter where you're running, no matter which way you like to deploy machines,
[12:00.340 --> 12:01.760]  we've got you covered.
[12:02.000 --> 12:10.320]  And it's very easy to use with a friendly web interface aimed towards getting results quickly.
[12:10.320 --> 12:15.340]  The monkey should be able to offer you is a different perspective.
[12:16.460 --> 12:21.520]  What you have, what your organization have is a very nice, you know, Visio chart.
[12:21.520 --> 12:27.420]  You always see these in presentations that shows everything is segmented.
[12:27.420 --> 12:30.080]  Everything is beautiful. We have no problems.
[12:30.580 --> 12:34.440]  But we have the monkey telling us what's really happening.
[12:34.440 --> 12:37.920]  So on the other hand, you can see the attacker's knowledge
[12:37.920 --> 12:43.640]  and maybe find paths that you didn't think were possible.
[12:43.960 --> 12:52.320]  And you have the application diagrams and our tools can tell us who's really communicating with whom.
[12:52.360 --> 12:59.320]  And obviously, as we know, in reality, it's all just a big mess that is just waiting to burst up in flames.
[12:59.940 --> 13:04.420]  So which use cases is the monkey relevant for?
[13:05.300 --> 13:08.700]  Going back to the beginning of this presentation,
[13:08.700 --> 13:14.700]  it can help you test specific attack scenarios in a continuous and automatic manner.
[13:16.420 --> 13:20.600]  Demonstrate breach detection, test for segmentation.
[13:21.760 --> 13:25.540]  If we're talking about some specific scenarios, credentials tapped,
[13:25.540 --> 13:31.240]  you can feed the monkey with credentials of an IT team member and see how far it can go.
[13:31.240 --> 13:36.480]  You can test what damage results from having specific servers compromised.
[13:36.480 --> 13:43.320]  Let's say testing from one location, maybe the web applications of your organization,
[13:43.320 --> 13:48.060]  something happens in the databases, stuff like that.
[13:49.200 --> 13:52.440]  Malicious device, someone added a malicious machine,
[13:52.440 --> 13:58.440]  like a contractor maybe bringing his laptop to on-site and connecting to the internal network,
[13:58.440 --> 14:07.520]  but that laptop is completely full of malware and seeing how far the attack can go from there.
[14:07.520 --> 14:11.360]  Or blast radius, let's try to limit damage from a breach.
[14:11.360 --> 14:16.000]  Are your firewalls and the routing rules and whatever separating different networks?
[14:16.000 --> 14:19.660]  Let's say the development network and the production network.
[14:20.260 --> 14:23.900]  Another example could be past the hash attack.
[14:23.900 --> 14:29.860]  Can attackers build a path that shouldn't exist from a server to a domain controller
[14:29.860 --> 14:34.110]  using cached credentials or SSH keys that are left on the machine?
[14:34.920 --> 14:41.380]  The monkey can help you test the existing security setup, the security strategy of an organization,
[14:41.380 --> 14:48.120]  see if alerts are popping up, check if the SOC is responding correctly to an attack,
[14:48.120 --> 14:53.200]  where the organization stands in their zero trust journey,
[14:53.200 --> 14:58.880]  or how much of the MITRE ATT&CK framework are they limiting?
[14:58.880 --> 15:00.820]  How much are they covering?
[15:01.240 --> 15:05.860]  And the main thing, the main benefit that the monkey can give you,
[15:05.860 --> 15:12.380]  if you want to test your network or if you want to present your findings as a red teamer,
[15:12.380 --> 15:16.800]  is to show the visibility from the attacker's point of view,
[15:16.800 --> 15:26.620]  not in the sort of high-level way that the visios usually show it.
[15:27.180 --> 15:30.640]  So, we're going to jump into a demo.
[15:30.680 --> 15:36.020]  In this demo, the first thing we're going to do is run a simulation
[15:36.020 --> 15:44.140]  with a few different use cases in the configuration, and I'm just going to pop into it.
[15:44.980 --> 15:49.360]  So, when you open the InfectionMonkey island,
[15:49.360 --> 15:53.360]  that's the command and control server of InfectionMonkey,
[15:53.360 --> 15:56.780]  for the first time after you deploy it, this is what you're going to see.
[15:56.780 --> 16:03.300]  A friendly UI, one, two, three, four, that's the stuff you need to do to get started.
[16:03.300 --> 16:04.820]  So, let's get started.
[16:04.960 --> 16:09.460]  It tells us to go ahead and run the monkey, and we jump here,
[16:09.460 --> 16:13.800]  and it offers us to configure the monkey to fine-tune its behavior.
[16:13.800 --> 16:17.060]  Since I already have a test scenario in mind,
[16:17.060 --> 16:21.160]  I will choose this option and hop into the configuration.
[16:21.600 --> 16:25.820]  Here you can see we have a few different tabs for configuration.
[16:25.820 --> 16:31.400]  If you want to mess with the monkey, choose which techniques it will attempt
[16:31.400 --> 16:33.440]  and which techniques it will not attempt.
[16:33.440 --> 16:36.560]  If you're familiar with the MITRE ATT&CK framework,
[16:36.560 --> 16:39.660]  and that's how you like to use stuff,
[16:39.660 --> 16:44.100]  we mapped everything that the monkey does to the MITRE ATT&CK framework.
[16:44.100 --> 16:46.100]  We're not going to do this today.
[16:46.180 --> 16:50.120]  What we are going to do is first hop onto the network tab
[16:51.000 --> 16:54.820]  and define the scope of this test.
[16:56.000 --> 17:02.500]  And this is important since this is what will aim the monkey towards specific servers.
[17:02.500 --> 17:06.100]  Now, the monkey doesn't have to be aimed towards specific servers.
[17:06.100 --> 17:12.340]  We can check this and the monkey will just try to propagate to any machines it can find
[17:13.900 --> 17:19.020]  along with the targets that we will manually configure.
[17:19.020 --> 17:26.300]  But in this instance, I only want it to run on the targets that I've defined.
[17:26.620 --> 17:34.780]  And I want it to hop from the initial infection point three deep.
[17:35.820 --> 17:39.260]  Sort of giving a spoiler here, but jumping to the map,
[17:39.260 --> 17:44.320]  the monkey started from here, but you can see it hopped pretty deep,
[17:44.320 --> 17:47.780]  three deep from the original place where it started.
[17:47.780 --> 17:51.620]  This is the scan depth configuration.
[17:52.140 --> 17:57.600]  Moving on to the target list, this is the list of the targets that the monkey tried to scan
[17:57.600 --> 18:00.520]  and obviously attack.
[18:00.520 --> 18:05.120]  So we have quite a... just a bunch of IP addresses here.
[18:05.840 --> 18:13.240]  This is just the IPs that I know I want to test in this demo, in this simulation.
[18:14.280 --> 18:19.220]  And lastly, I also configured the monkey to test for network segmentation.
[18:19.220 --> 18:23.060]  I know I have these three different segments.
[18:23.060 --> 18:32.260]  This network range of a segment, 10.2.0 from 11 to 12.
[18:32.260 --> 18:34.800]  So basically a two server segment.
[18:35.060 --> 18:42.420]  This segment, which is a single IP segment, a network segment that only has one machine.
[18:42.420 --> 18:47.160]  And the slash 24 segment here at 10.2.2.
[18:47.160 --> 18:51.520]  So what I'm telling the monkey is to try and test for network segmentation,
[18:51.520 --> 18:55.840]  see if it can create cross segment communication.
[18:56.620 --> 19:00.800]  Other than setting up the scope of this test,
[19:00.800 --> 19:06.800]  you can also configure which exploits the monkey will try to attempt using the exploit selector here.
[19:07.200 --> 19:12.860]  In this instance, we went with the Struts2 exploiter, the Shellshock exploiter,
[19:12.860 --> 19:16.520]  SSH exploiter, which brute forces using credentials,
[19:17.360 --> 19:25.380]  the MSSQL exploiter, the WMI exploiter, and the SMB exploiter, which again is a brute force exploiter.
[19:25.380 --> 19:28.760]  As you can see here, we have some unsafe exploits.
[19:28.760 --> 19:39.640]  The Microsoft Bulletin 08-067 is an unsafe exploiter that might crash due to the fact that it uses buffer overflow.
[19:39.640 --> 19:44.980]  And we, you know, marking security of our users first,
[19:44.980 --> 19:49.940]  even if you were to check this and check all of the exploiters,
[19:49.940 --> 19:53.600]  and uncheck them and recheck all of them,
[19:53.600 --> 19:55.960]  you won't get the unsafe exploiter.
[19:55.960 --> 19:57.850]  You really have to opt into that.
[19:58.360 --> 20:00.800]  We also set up some passwords here.
[20:00.800 --> 20:08.100]  This is in order to simulate a credentials theft, let's say a phishing attempt was successful.
[20:08.100 --> 20:17.000]  So we got some passwords that the exploiters will try to use and some users here.
[20:18.620 --> 20:24.920]  And yeah, we can take a look at the infection map and see what happened.
[20:25.060 --> 20:27.880]  You can see we started from here.
[20:27.880 --> 20:30.100]  This is the Monkey Island.
[20:30.100 --> 20:31.360]  This is the server.
[20:31.360 --> 20:36.400]  We started from here because we clicked on run on Monkey Island server.
[20:36.400 --> 20:44.080]  And once we clicked on this, everything here went pretty wild.
[20:44.080 --> 20:47.640]  Every red line represents a successful exploitation attempt.
[20:47.640 --> 20:55.620]  So let's just take a look at the line from the Monkey Island to the server called struts2,
[20:55.620 --> 20:57.560]  which obviously is a struts server.
[20:57.560 --> 20:59.240]  Let's take a look at this line.
[20:59.240 --> 21:05.460]  And as you can see here, it was successfully exploited using the struts2 exploiter.
[21:07.180 --> 21:12.340]  And you can also see which services were found on this machine.
[21:12.340 --> 21:16.860]  So you get a mapping of which services were found.
[21:17.160 --> 21:21.940]  And once the monkey got here, did exactly the same.
[21:23.100 --> 21:27.540]  Yellow lines represents scans.
[21:27.540 --> 21:36.360]  These are the monkey trying to scan a machine and trying to find ways to attack it.
[21:36.360 --> 21:39.560]  But in this case, it didn't manage to attack.
[21:39.560 --> 21:43.240]  All the exploiters failed, but it did find open services.
[21:43.240 --> 21:50.340]  So it marks this interaction as a scan line, as a yellow line.
[21:50.620 --> 21:55.760]  Lastly, we have the island communication lines,
[21:55.760 --> 22:02.920]  which just show how the agent communicated back to the command and control server and reported everything back.
[22:03.280 --> 22:08.260]  We also have this nice configuration here with the blue lines.
[22:08.260 --> 22:12.760]  What we can see is the monkey started on the Monkey Island,
[22:13.280 --> 22:17.380]  moved to this server called tunneling-9.
[22:17.380 --> 22:21.740]  This is the first tunneling endpoint.
[22:21.740 --> 22:26.620]  This server connects two network segments.
[22:26.620 --> 22:31.780]  You can think of it like some sort of jump box that the organization is using.
[22:32.560 --> 22:40.540]  This server connects the 10.2.2 subnet to the 10.2.1 subnet.
[22:40.540 --> 22:44.920]  It has two network interfaces, one in each segment.
[22:45.520 --> 22:51.060]  Now the monkey hopped onto this machine and was able to propagate to this machine.
[22:51.060 --> 22:53.160]  For instance, using SSH.
[22:54.140 --> 22:57.120]  Now, what is this blue line?
[22:57.120 --> 23:04.600]  This blue line tells us that the monkey on tunneling-10 needed to send information back to the island.
[23:04.600 --> 23:09.100]  It needed to report back to the command and control server what it has found.
[23:09.520 --> 23:13.400]  However, that's easier said than done.
[23:16.820 --> 23:26.120]  If there was a path between the machine tunneling-10 and the island, the monkey could just send the information back, no problem.
[23:26.120 --> 23:28.680]  However, these two machines are not connected.
[23:28.680 --> 23:30.620]  They are not in the same network segments.
[23:30.620 --> 23:34.400]  They don't have any direct communication in between them.
[23:34.400 --> 23:43.380]  In this case, the monkey on tunneling-9 turned itself into a tunneling server.
[23:43.380 --> 23:52.540]  And enabled tunneling-10 to report back to the monkey island over tunneling communication.
[23:52.540 --> 24:05.400]  In that exact same fashion, this happened twice again with tunneling-11 and tunneling-12 with a different subnetwork, 10.2.0.
[24:05.400 --> 24:12.160]  So what we really had here is two hops between the monkey and the island.
[24:12.160 --> 24:19.420]  And the monkeys helped themselves tunnel the communication back completely automatically.
[24:19.480 --> 24:24.220]  So what we're seeing here is sort of a very deep network test.
[24:24.220 --> 24:34.620]  And the monkey sort of bridging networks and showing how you can hop between different subnetworks in this test instance.
[24:35.280 --> 24:41.100]  Now we can hop on to the security reports section of the monkey.
[24:42.160 --> 24:44.800]  We have three different reports.
[24:44.800 --> 24:47.620]  The first report is the security report.
[24:48.180 --> 24:53.760]  As you can see here, the report starts with an overview.
[24:54.060 --> 24:56.560]  This is sort of the summary of what happened.
[24:56.560 --> 25:01.340]  First of all, it let us know that critical security issues were detected.
[25:01.340 --> 25:10.460]  Which is obviously the case when the monkey was able to run rampant in a network like this, do tunneling, use a ton of exploits and propagate to a ton of different servers.
[25:12.420 --> 25:16.480]  The monkey started propagating on this machine.
[25:17.500 --> 25:22.500]  And it tells us which machine it started on. In this case, it's the island Windows machine.
[25:23.000 --> 25:27.000]  It tells us the configuration we used, which we went over already.
[25:27.000 --> 25:31.080]  Which usernames and passwords were used for brute forcing.
[25:31.160 --> 25:33.400]  Which exploiters were selected.
[25:33.480 --> 25:35.580]  Which IPs were selected to scan.
[25:35.580 --> 25:39.660]  And it notes that the monkeys were configured to avoid scanning local network.
[25:39.660 --> 25:44.400]  This is a really useful feature to limit the spread of monkey.
[25:44.400 --> 25:49.480]  If you want to run it in a network and you're afraid the monkey will just spread all over your network.
[25:49.480 --> 25:52.220]  This is a pretty good way to avoid that scenario.
[25:53.280 --> 25:55.280]  And what did the monkey find?
[25:55.340 --> 25:59.200]  During the simulated attack, the monkey uncovered four threats.
[25:59.280 --> 26:02.340]  Stolen credentials that were used to exploit other machines.
[26:02.340 --> 26:05.800]  Machines that were vulnerable to shell shock.
[26:05.800 --> 26:13.140]  Machines that are accessible using the passwords we provided for brute forcing.
[26:13.780 --> 26:17.140]  And the struts2 vulnerability as well.
[26:17.420 --> 26:20.240]  So we have two wormable CVEs in our network.
[26:20.240 --> 26:25.140]  And we have two credentials-based attack vectors in our network.
[26:25.140 --> 26:29.220]  And we also found segmentation.
[26:29.220 --> 26:33.200]  Potential weak segmentation and actual segmentation issues.
[26:33.200 --> 26:37.060]  Communication from this segment to this segment.
[26:37.060 --> 26:40.940]  Which we defined as two different segments in the configuration.
[26:40.940 --> 26:43.640]  And from this segment to this segment.
[26:44.320 --> 26:46.560]  Jumping back to the map.
[26:47.140 --> 26:49.520]  This is these lines.
[26:50.760 --> 26:56.140]  From the 10.2.2 segment to the 10.2.1 segment.
[26:56.140 --> 26:58.060]  And these four lines.
[26:58.060 --> 27:03.180]  From the 10.2.1 segment to the 10.2.0 segment.
[27:04.000 --> 27:10.220]  Obviously, if you have your segmentation on lockdown, these communications just won't happen.
[27:12.080 --> 27:18.460]  And on every issue here, you can read more and get more specific details.
[27:18.460 --> 27:20.500]  Which services were used.
[27:20.680 --> 27:24.800]  To which IP was able to communicate, etc.
[27:25.780 --> 27:29.300]  Taking a look at machine-related recommendations.
[27:29.300 --> 27:33.700]  You can see which recommendations we have for each machine.
[27:33.700 --> 27:38.840]  So if we want to fix the critical app, the crown jewel, we can find it here.
[27:38.840 --> 27:41.100]  Let's say it's Tunneling11.
[27:41.100 --> 27:48.080]  And we see that we need to change the user monkey password to a complex one-use password.
[27:48.080 --> 27:51.160]  Because it's shared with other computers on the network.
[27:51.160 --> 27:52.940]  And again, you can read more.
[27:53.140 --> 27:55.660]  Specifically, this is vulnerable to SSH.
[27:56.620 --> 28:04.080]  And you need to do micro-segmentation policies to disable communications that aren't required.
[28:04.280 --> 28:06.760]  Because a tunnel was set up.
[28:06.860 --> 28:10.360]  Which obviously means that the machines aren't locked down.
[28:10.360 --> 28:15.600]  Because they can create communication paths that we didn't want them to create.
[28:17.420 --> 28:19.840]  Some different recommendations.
[28:19.840 --> 28:21.800]  The struts24 machine.
[28:21.800 --> 28:23.880]  Struts2-24 machine.
[28:24.610 --> 28:27.780]  You need to upgrade the struts version.
[28:27.780 --> 28:35.820]  Because the struts server at this machine, which is this IP, is vulnerable to a remote code execution attack.
[28:36.500 --> 28:39.000]  You can get even more details here.
[28:39.000 --> 28:43.560]  The attack was made possible because the server is using an old version of Jakarta.
[28:43.560 --> 28:47.680]  That does the multi-part parser thing.
[28:47.680 --> 28:50.000]  And there is more information.
[28:50.000 --> 28:54.540]  You can click on it and obviously see the CVE public information.
[28:54.600 --> 28:59.980]  And there are a ton of machine-related recommendations here.
[28:59.980 --> 29:06.020]  For example, the machine that was vulnerable to shell shock tells you that you need to update your bash version.
[29:06.820 --> 29:14.220]  And you need to segment your network to make sure that there is no communication between machines from different segments.
[29:14.220 --> 29:17.760]  The next section of the report shows us the network from the monkey's eyes.
[29:17.760 --> 29:20.840]  This is the part of the attacker's visibility.
[29:21.380 --> 29:24.960]  From the attacker's point of view, this is how the network looked like.
[29:26.340 --> 29:27.980]  Basically, Swiss cheese.
[29:28.500 --> 29:33.420]  It tells us that the monkey discovered 10 machines, successfully breached 9 of them.
[29:33.440 --> 29:36.960]  What's the last 10%? Well, it's just the machine we started on.
[29:36.960 --> 29:39.400]  Every single machine in this test was breached.
[29:39.400 --> 29:43.440]  Obviously, this is a test network and we set up this as an example.
[29:43.440 --> 29:48.920]  But this is not very different to the results we've seen when running with customers.
[29:49.140 --> 29:54.860]  Now, we can see a summary of which services and on which machines the monkey has found.
[29:54.860 --> 29:58.500]  This sort of maps your attack surface.
[29:58.500 --> 30:04.580]  This shows which ports can be knocked and see who's answering.
[30:04.580 --> 30:19.840]  For example, the tunneling machine, which has both of these IP addresses, as we've said, 2.2 and 2.1, is accessible from all of these machines using SSH.
[30:20.660 --> 30:26.320]  And the struts24 machine listens on 8080 as well.
[30:26.580 --> 30:31.360]  You can also see which exploits were used on each machine.
[30:31.360 --> 30:36.400]  So if you want a sort of vulnerability assessment summary, you can see that here.
[30:36.400 --> 30:40.220]  This machine was exploited using SMB.
[30:41.220 --> 30:44.600]  Specifically, credentials were stolen using Mimikatz.
[30:46.680 --> 30:50.640]  And you can see the post-breach actions that the monkey has performed.
[30:50.640 --> 30:55.620]  It performed 243 post-breach actions on 7 machines.
[30:55.620 --> 30:58.540]  Which actions? Well, we're going to see in a second.
[30:58.540 --> 31:03.420]  But if you want the whole list, you can see here.
[31:04.340 --> 31:11.820]  And you can see which credentials were stolen from machines in order to propagate further.
[31:11.820 --> 31:17.000]  So this is sort of a credential analysis part of the report.
[31:17.380 --> 31:19.700]  This is the security report.
[31:19.700 --> 31:23.280]  But we also have two other reports.
[31:23.280 --> 31:33.420]  The first one is the Zero Trust report, which is the first Zero Trust assessment report available.
[31:33.920 --> 31:40.980]  As you can see, we've mapped what the monkey does to the seven pillars of the Zero Trust Extended Framework.
[31:41.240 --> 31:48.020]  And we've got a lot of red in this report card because we failed a lot of the tests.
[31:48.020 --> 31:56.920]  The monkey tests for violation of principles defined in the Zero Trust security model.
[31:57.160 --> 32:01.380]  And maps it to each of the seven pillars.
[32:01.420 --> 32:09.380]  Networks, devices, people, workloads, data, visibility and analytics, and automation and orchestration.
[32:10.220 --> 32:13.980]  Now, the gray just means that this wasn't executed.
[32:13.980 --> 32:20.360]  In this test, in this simulation, there wasn't anything relevant for workloads, automation or orchestration.
[32:20.520 --> 32:25.240]  Red means that something related to this component failed.
[32:25.240 --> 32:28.140]  Something related to data failed.
[32:28.420 --> 32:29.740]  Well, what was it?
[32:29.740 --> 32:33.380]  We can take a look at the test results and see exactly what happened.
[32:33.380 --> 32:35.760]  So let's take a look at data, for example.
[32:35.760 --> 32:44.220]  We can see that other than everything else that the monkey has done in propagating, stealing credentials, running exploiters and giving us all this data back,
[32:44.220 --> 32:47.620]  it also scanned for unencrypted access to data.
[32:47.620 --> 32:54.840]  Because one of the Zero Trust principles in relation to data is that you need to secure data at transit by encrypting it.
[32:54.840 --> 33:04.800]  However, while the monkey wasn't able to find Elasticsearch instances, it was able to find unencrypted HTTP server.
[33:04.800 --> 33:08.920]  Someone is not using HTTPS and that's a problem.
[33:09.240 --> 33:13.280]  Now let's say we want to know even more data about this specific problem.
[33:13.280 --> 33:16.980]  Which servers? When did this happen? What's up with that?
[33:16.980 --> 33:22.540]  We can scroll down to the finding list and see that the monkey was able to access HTTP servers.
[33:22.540 --> 33:30.460]  And if we look at the specific events, we can see exactly which monkey tried to perform the network scan and when.
[33:30.460 --> 33:42.140]  We can see which services it found. It found TCP80 and then it mapped an HTTP service that was recognized as an open data endpoint.
[33:42.140 --> 33:46.900]  Specifically, it's an Apache server on Ubuntu. And this is the version.
[33:47.740 --> 33:52.120]  So, as you can see the details, it is a pretty detailed report.
[33:52.120 --> 34:01.400]  You can also export all the events to JSON. So you can run scripts on it, match it up with other APIs, etc.
[34:02.780 --> 34:07.420]  Let's take a look at a different test. Let's take a look at networks, for example.
[34:07.420 --> 34:14.540]  Obviously, with the monkey being a breach and attack simulation tool and GuardiCore being a network company,
[34:14.540 --> 34:20.400]  which sort of mainly maintains this tool, this is the part we invested the most into.
[34:20.400 --> 34:22.800]  And we do have quite a lot of tests here.
[34:23.280 --> 34:27.620]  Now it's time to circle back to all the segmentation problems we saw.
[34:27.740 --> 34:36.020]  The monkey tried to scan and find machines that it can communicate and do cross-segment communication.
[34:36.020 --> 34:43.240]  And it was able to, so this test failed because Zero Trust Networks tells us that the most important thing we need to do
[34:43.240 --> 34:48.620]  is to apply segmentation and micro-segmentation inside our network to lock that down.
[34:48.620 --> 34:54.740]  Again, if we go back to the findings, we can see that the monkey performed cross-segment communications
[34:54.740 --> 34:58.620]  and we can see exactly which violations occurred.
[34:58.640 --> 35:06.940]  In this instance, Tunneling 10 managed to talk to 10.2.10.11 in this segment.
[35:06.940 --> 35:13.380]  So you get a pretty detailed report on which segmentation violations occurred.
[35:13.380 --> 35:20.680]  If you have a firewall solution or a micro-segmentation solution, every single event here should be an alert.
[35:20.680 --> 35:27.820]  So you can export all these results and try to match them up with the alerts from your whatever security solution.
[35:30.060 --> 35:36.460]  You can see also that we failed the Network Policy Should Be As Restrictive As Possible test.
[35:36.460 --> 35:40.040]  This is because the monkey was able to tunnel traffic using other monkeys.
[35:40.040 --> 35:45.300]  We also failed this test, which appears in the people pillar as well.
[35:45.300 --> 35:47.460]  So let's take a look at that. What does people mean?
[35:47.460 --> 35:51.720]  Well, it talks about users. People means Zero Trust users.
[35:51.720 --> 36:00.700]  In this case, the monkey tested whether users' permissions to this network and to the resources inside the network is MAC only,
[36:00.700 --> 36:04.040]  mandatory access control, whether it's a need-to-know basis,
[36:04.040 --> 36:11.400]  whether only known users can access the small subset of resources that they should be able to.
[36:12.360 --> 36:15.340]  The way the monkey tests for this is pretty creative.
[36:15.340 --> 36:22.180]  It creates a new user, a new local user on the machine and tries to communicate online,
[36:22.180 --> 36:25.800]  tries to just go out to the internet with an unknown new user.
[36:25.800 --> 36:29.560]  This is a completely unknown user because it's a random username.
[36:29.560 --> 36:33.120]  There's no chance that it existed before.
[36:33.120 --> 36:37.080]  And as you can see, it was able to do that two times.
[36:37.140 --> 36:42.940]  It created a new user and reached out to infectionmonkey.com,
[36:42.940 --> 36:47.800]  so not even a super well-known domain, even though we do get quite a lot of traffic,
[36:47.800 --> 36:51.780]  with some new user and a bunch of random characters.
[36:52.000 --> 36:57.620]  And the process succeeded. It managed to create this communication with a new user.
[36:57.620 --> 37:06.740]  That means that our network, this sample network, doesn't block unknown users from communicating online.
[37:07.300 --> 37:12.220]  And as you can see, some tests can be mapped to quite a lot of different pillars,
[37:12.220 --> 37:16.740]  because this is about people, this is about networks, and this is about visibility.
[37:16.740 --> 37:18.680]  You should be able to see this stuff.
[37:20.700 --> 37:28.280]  The monkey also obviously maps every single device that was exploited as a problem,
[37:28.280 --> 37:38.640]  because you need to do some traditional endpoint security to stop the monkey from propagating across the network.
[37:39.400 --> 37:44.580]  And as you can see, the monkey was able to exploit those endpoints,
[37:44.580 --> 37:47.920]  and you need to check the logs to see if you can recognize this activity.
[37:47.920 --> 37:51.540]  Specifically here, we can see all the exploit attempts.
[37:51.540 --> 37:58.480]  Now, even failed exploit attempts should be logged, but successful attempts obviously should have been blocked.
[37:59.040 --> 38:06.100]  And again, you can export all these results to a JSON file that you can then match up and script to other stuff.
[38:07.620 --> 38:10.560]  The monkey also mapped whatever passed.
[38:10.720 --> 38:15.500]  So, in six different instances, the monkey wasn't able to create a new user,
[38:15.500 --> 38:22.860]  because of endpoint protection or maybe firewalls blocking the communication.
[38:23.100 --> 38:27.960]  So, even if some tests are failing, the monkey lists everything for you.
[38:27.960 --> 38:32.060]  So, you can see what you do have on lockdown and what you don't have on lockdown.
[38:34.840 --> 38:40.220]  The verify part of the report tells you the stuff that you need to verify manually.
[38:40.220 --> 38:46.560]  This is basically a list of everything bad that the monkey has done in this simulation,
[38:46.560 --> 38:55.940]  that you need to test and see whether you can find all the malicious activity in logs and alerts.
[38:55.940 --> 39:01.440]  This is sort of the, let's check how the organization will respond part of the report.
[39:01.680 --> 39:08.860]  And again, once you're done fixing all the holes, going over all the reports, pushing out all the information,
[39:08.860 --> 39:14.740]  you can start over, run again, and within a few minutes, you'll get this report anew.
[39:14.740 --> 39:20.540]  So, you can see if you actually closed all the issues, or maybe you did it incorrectly this time.
[39:21.220 --> 39:24.840]  Lastly, the monkey has the MITRE ATT&CK report.
[39:24.840 --> 39:30.540]  This shows information about the MITRE ATT&CK techniques that were used by InfectionMonkey.
[39:32.120 --> 39:38.920]  This enables you to see which techniques were successfully used by the monkey,
[39:38.920 --> 39:42.520]  which techniques the monkey tried to use, but it failed,
[39:42.520 --> 39:44.880]  which techniques just weren't attempted,
[39:44.880 --> 39:48.060]  and which techniques are disabled and you need to enable in order to run.
[39:48.060 --> 39:53.480]  In this case, we don't have anything disabled because we had monkey running full throttle.
[39:54.200 --> 40:00.280]  And if we want to get more information about some of the ways that the monkey utilized techniques,
[40:00.280 --> 40:08.080]  we can click on any of these techniques and see what the monkey exactly did when it tried to use this technique.
[40:08.080 --> 40:11.200]  Let's take a look at multi-hop proxy, for example.
[40:11.200 --> 40:19.640]  Let's say we want to completely lock down our network and disallow attackers from doing command and control.
[40:19.640 --> 40:23.100]  We want them to be completely lost, even if they manage to breach.
[40:23.400 --> 40:25.760]  So, what did the monkey do?
[40:25.760 --> 40:31.080]  Well, the monkey used multi-hop proxy, and we can see exactly which tunnels it created.
[40:31.080 --> 40:37.160]  It created tunnel from tunneling 11 to tunneling 9 with two hops.
[40:37.160 --> 40:40.380]  We saw that on the map before.
[40:40.660 --> 40:43.020]  This is these lines.
[40:43.040 --> 40:47.580]  Yes, this communication path is a multi-hop proxy.
[40:48.280 --> 40:50.960]  Now, let's say you are using the MITRE ATT&CK framework,
[40:50.960 --> 40:54.840]  but you don't exactly remember what's the multi-hop proxy technique.
[40:54.840 --> 40:58.420]  Well, you can just click on this question mark here,
[40:58.420 --> 41:04.940]  and we immediately show you the relevant page in the MITRE ATT&CK framework.
[41:05.020 --> 41:11.520]  The MITRE ATT&CK being an open source project as well, greatly beneficial to the security community.
[41:12.700 --> 41:19.820]  We also pull the mitigations, because the moment you find that a technique was successfully used,
[41:19.820 --> 41:21.860]  you want to know how to mitigate it.
[41:21.860 --> 41:28.980]  So we just list the mitigations from the MITRE ATT&CK database.
[41:29.280 --> 41:31.940]  Let's say uncommonly used port.
[41:32.060 --> 41:34.700]  Well, the monkey, you get, again, more details.
[41:34.700 --> 41:38.340]  The monkey used this port to communicate to the command and control server.
[41:38.340 --> 41:40.200]  And you also get mitigations.
[41:40.200 --> 41:43.520]  Obviously, popping up again is network segmentation.
[41:44.620 --> 41:51.040]  Some other stuff, you can see that the monkey did some persistence testing.
[41:51.040 --> 41:53.400]  It's important to note that this is only testing.
[41:53.400 --> 41:55.940]  The monkey doesn't persist on machines.
[41:55.940 --> 41:58.340]  It only tests if it can persist.
[41:58.780 --> 42:01.220]  For example, it used the create account technique.
[42:01.220 --> 42:05.640]  As we saw before, it was able to create a new user on the network system.
[42:05.920 --> 42:10.280]  And we can see the results for each attempt, even if it failed.
[42:10.780 --> 42:13.740]  And you can see different mitigations.
[42:13.920 --> 42:16.820]  Again, you should use multi-factor authentication.
[42:16.820 --> 42:22.580]  You need to configure your operating system so that malware can create new users, etc.
[42:22.640 --> 42:30.160]  As an accessibility feature, we also list all the techniques in a list instead of the matrix.
[42:30.240 --> 42:32.100]  So it's easier to navigate.
[42:32.180 --> 42:37.100]  And also, if you have problems seeing the colors of the report, you can see the icons.
[42:37.340 --> 42:44.300]  However, we found out that even our regular users love this display.
[42:44.300 --> 42:49.340]  So just all users like the display as a list as well.
[42:49.340 --> 42:55.860]  And again, you can open up the techniques and see that, for example, in the collection tactic,
[42:55.860 --> 43:02.140]  the monkey used the data from local system and gathered sensitive data, like SSH keys.
[43:03.860 --> 43:07.140]  These are the three reports.
[43:07.360 --> 43:09.880]  Deploying the monkey is super easy.
[43:09.880 --> 43:16.860]  You have the different deployment options, and you can see them or ask some questions.
[43:16.860 --> 43:22.080]  Let's say you're not sure what's the MSSQL exploiter or how does it work.
[43:22.080 --> 43:30.100]  Well, in this version, which comes out for DEF CON in a few days from when I'm recording this,
[43:30.100 --> 43:37.260]  we also brought up a new documentation site, which guides you towards setup guides, getting started guides,
[43:37.260 --> 43:45.080]  frequently asked questions, references for all the exploiters we're using and all the operating systems the monkey runs on,
[43:45.080 --> 43:51.160]  which operating system it supports, some scenarios that you can run.
[43:53.100 --> 43:59.840]  This is the test scenarios we talked about, like a breach from internet-facing servers, phishing.
[43:59.840 --> 44:05.920]  You want to test segmentation or you want to verify security solutions and the procedures and the teams.
[44:05.920 --> 44:19.680]  This is sort of the purple team, you know, magic option, a deep dive into all the reports and seeing how to integrate monkey into other stuff.
[44:19.800 --> 44:35.900]  At the time of this recording, we're supporting integration, deep integration with AWS, both the security hub,
[44:35.900 --> 44:47.160]  and automatically on your EC2 instances. And the guides are pretty deep about every single option that we provide.
[44:47.160 --> 44:53.780]  Let's say the Windows installer, well, it's supposed to be very user-friendly with troubleshooting,
[44:53.780 --> 44:58.760]  and it's open source like the rest of the project. So if you find something that you want added,
[44:58.760 --> 45:03.980]  you can just edit it or open an issue for us, and we'll take care of that.
[45:06.580 --> 45:15.040]  Now what? So we're done with the demo. We took a look at how does the monkey work and what can it offer for you.
[45:15.340 --> 45:23.900]  So first of all, from us to you, we're releasing a new version, version 1.9.0 with more attack techniques,
[45:23.900 --> 45:29.780]  as you've seen in the report, the monkey runs faster and completes the simulation a lot quicker.
[45:29.780 --> 45:35.880]  The server itself has great performance improvements as well, so you can run it on large-scale networks,
[45:35.880 --> 45:42.760]  and the UI is improved. Compared to old versions, maybe you can pull up old versions of the tool
[45:42.760 --> 45:49.780]  and see that the UI has been vastly improved. It's also a lot more secure.
[45:49.780 --> 45:58.660]  We've integrated with Snyk IO, a service that checks the dependencies of a project for vulnerabilities.
[45:58.820 --> 46:09.120]  So we've vetted the product from having vulnerabilities in its bag, and we've run a lot of tests.
[46:09.120 --> 46:18.920]  This really coincides with the fact that we do have big enterprises running us in production networks that actually matter.
[46:18.920 --> 46:27.020]  So we had to step up there. And the monkey is secured by default. For this demo, I turned this feature off,
[46:27.020 --> 46:34.320]  but every single InfectionMonkey instance that you will deploy has password protected by default.
[46:34.320 --> 46:38.640]  You have to set up a user and password combination in order to access the monkey.
[46:38.640 --> 46:44.400]  So even if you set up the InfectionMonkey in a network and somehow lose access to the server,
[46:44.400 --> 46:50.700]  or maybe open up access to attackers to that server, that doesn't mean that they are going to take control of the monkey,
[46:50.700 --> 46:53.820]  because they will need the password combination as well.
[46:54.380 --> 47:00.600]  So you can download this version for free from InfectionMonkey.com, our homepage.
[47:01.020 --> 47:06.340]  You can also access articles and the documentation site from InfectionMonkey.com.
[47:06.700 --> 47:13.700]  And I'm inviting you, first of all, I'm inviting you to use the monkey. Use the InfectionMonkey.
[47:13.700 --> 47:18.600]  If you're doing red teaming, purple teaming, blue teaming, this is a great tool for you.
[47:18.600 --> 47:23.740]  It's automatic, it's free, covers a lot of ground, covers a lot of frameworks.
[47:23.740 --> 47:27.880]  If you're doing penetration testing, for me, the monkey is a no-brainer.
[47:27.880 --> 47:34.560]  It takes out all the skidding part of penetration testing, does it for you, gives you a pretty nice map,
[47:34.560 --> 47:39.160]  and from the results the monkey gives you, you can do much smarter stuff.
[47:39.160 --> 47:45.960]  You can focus on the harder parts of penetration testing, on the manual parts, maybe the human parts.
[47:45.960 --> 47:54.320]  I don't know if we're still doing physical examinations in COVID times, but if you're hacking a site physically,
[47:54.320 --> 48:02.040]  opening doors with credit cards and whatever, let the monkey take care of scanning ports and using the vulnerabilities
[48:02.040 --> 48:07.560]  and stealing credentials and remembering them. You don't need to do that manually anymore.
[48:07.560 --> 48:15.840]  If you want to do network analysis or even IT and security analysis, let's say you purchase a new security solution
[48:15.840 --> 48:21.920]  for your network, you want to test that stuff and you don't want to test it manually.
[48:21.920 --> 48:26.520]  Run the monkey after you install it and make sure you configured it correctly, make sure it actually works.
[48:27.600 --> 48:32.000]  So the main invitation for me to you is to use the monkey.
[48:32.780 --> 48:37.920]  Secondly, you can join us. You can join the monkey trainers community. You can contribute.
[48:37.920 --> 48:43.920]  User feedback is the number one priority setter for us on the roadmap.
[48:43.980 --> 48:51.320]  If a user has a question or a problem or discovers a bug, it jumps to the top of the backlog.
[48:51.320 --> 48:54.760]  So your feedback could really impact the project.
[48:55.260 --> 49:00.740]  Now with our new documentation site, you can also very easily contribute documentation.
[49:00.740 --> 49:09.440]  If you have new scenarios in mind, maybe you want to add more information about specific exploiters or share your screenshots,
[49:09.440 --> 49:15.540]  something you can add to the troubleshooting section, a whole new part of the documentation you think about,
[49:15.540 --> 49:19.480]  you can easily contribute documentation directly from the web.
[49:19.900 --> 49:28.180]  And obviously, if you're a developer, if you're a security developer, if you want to contribute new exploits, new scanners,
[49:28.180 --> 49:31.860]  new MITRE ATT&CK techniques to increase the coverage.
[49:31.860 --> 49:36.660]  If you're into Zero Trust and you want to add more Zero Trust tests, you can contribute code.
[49:36.660 --> 49:40.360]  The project is completely open source and completely free.
[49:40.360 --> 49:43.600]  There is no freemium version. There is no pro version.
[49:43.600 --> 49:46.640]  This is a 100% community project.
[49:46.920 --> 49:50.300]  And lastly, I invite you to spread the word.
[49:50.920 --> 49:59.860]  The monkey is completely dependent on the users and the community to do good in the world.
[49:59.860 --> 50:04.460]  And if you want to help it, you just need to tell other people about it.
[50:04.760 --> 50:09.820]  Since this is a recording, I can't take questions in the recording.
[50:09.940 --> 50:16.140]  But in DEF CON safe mode, I should be online on Discord right now to answer your questions.
[50:16.140 --> 50:22.600]  However, if you're watching this recording after the event happened, don't worry.
[50:22.600 --> 50:30.820]  You can reach out to the entire InfectionMonkey community by going to infectionmonkey.com and clicking on the community button.
[50:30.820 --> 50:34.660]  You will be able to access our public Slack.
[50:34.660 --> 50:45.400]  We have a public Slack workspace where all the developers and all the users hang out, answer troubleshooting questions, talk about features, and discuss security in general.
[50:45.400 --> 50:50.300]  You can also access it from the documentation site right here in our Slack.
[50:50.300 --> 50:56.000]  You can also reach us by support at infectionmonkey.com if you're having any issues.
[50:56.000 --> 51:00.120]  Take a look at the code at github.com slash Gartic or slash InfectionMonkey.
[51:00.120 --> 51:03.900]  And just take a look at our homepage, take a look at the articles.
[51:04.740 --> 51:09.380]  Thank you very much and enjoy the rest of DEF CON safely.
[51:09.380 --> 51:15.500]  Wash your hands, keep your mask on, but since we're at home, we can ignore these for now.
[51:15.760 --> 51:17.480]  Thank you very much.
